CSRD and ESRS explained: what the corporate sustainability reporting directive requires

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

What the regulation does

The Corporate Sustainability Reporting Directive (Directive (EU) 2022/2464, commonly referred to as CSRD) requires companies to report on their sustainability impacts, risks, and opportunities in a standardised, audited, and machine-readable format. It replaces the Non-Financial Reporting Directive (NFRD), which applied to a narrower set of large public-interest entities and produced disclosures of widely varying quality and comparability.

The case for replacing the NFRD was straightforward. Investors, regulators, and civil society could not meaningfully compare sustainability disclosures across companies because there was no standard format, no mandatory assurance requirement, and no consistent definition of what had to be reported. The CSRD addresses all three problems. It introduces the European Sustainability Reporting Standards (ESRS) as a mandatory reporting framework, requires independent limited assurance from the first reporting year (with a pathway to reasonable assurance over time), and requires reports to be filed in a machine-readable digital format using the European Single Electronic Format (ESEF).

The result is sustainability reporting that is, for the first time, directly comparable across companies and sectors, and subject to the same kind of external verification that financial reporting has long required.

Who is in scope

The CSRD applies in phases, with scope determined primarily by company size and listing status.

Large public-interest entities with more than 500 employees were already reporting under the NFRD. These companies began reporting under CSRD for their 2024 financial year, with first CSRD-compliant reports published in 2025. This group includes listed companies, banks, and insurance companies meeting the employee threshold.

Other large EU companies begin reporting for their 2025 financial year, with first reports due in 2026. A company is large for this purpose if it meets two of three criteria: more than 250 employees, more than €40 million in net turnover, or more than €20 million on the balance sheet. This group is substantially larger than the NFRD population and includes many companies that have never been subject to mandatory sustainability reporting.

Listed SMEs begin reporting for their 2026 financial year, with first reports due in 2027. They may opt out until 2028. Unlisted SMEs are not directly in scope, though they may face data requests from larger companies in their value chain.

Non-EU companies are in scope if they have significant EU operations: specifically, companies with net turnover above €150 million generated in the EU for two consecutive years, with at least one EU subsidiary meeting the large company criteria or at least one EU branch generating more than €40 million in net turnover. Non-EU parent companies meeting these thresholds must produce a CSRD-compliant sustainability report, either at group level or covering their EU operations.

The non-EU scope is a significant extension of reach. A large manufacturer headquartered in Asia that generates substantial EU revenue and has an EU subsidiary will be directly subject to CSRD regardless of where its parent is domiciled.

The European Sustainability Reporting Standards

The detailed content of what must be reported is set out in the European Sustainability Reporting Standards, developed by the European Financial Reporting Advisory Group (EFRAG) and adopted by the European Commission as delegated acts. The ESRS are to CSRD what IFRS Accounting Standards are to financial reporting: the technical rulebook that specifies exactly what information must be disclosed and how.

The current ESRS framework consists of twelve topical standards organised across three categories, plus two cross-cutting standards.

Cross-cutting standards

ESRS 1 sets out the general requirements for how sustainability information must be presented: the reporting boundary, the treatment of estimates and uncertainties, the format requirements, and the principles that govern the overall report.
ESRS 2 covers general disclosures that all in-scope companies must make regardless of their specific sustainability profile. These include governance disclosures (how the board oversees sustainability matters), strategy disclosures (how sustainability risks and opportunities affect the company’s business model), and the description of the double materiality assessment process.

Environmental standards

ESRS E1 covers climate change, including the company’s greenhouse gas emissions across Scopes 1, 2, and 3, its climate transition plan, and its physical climate risks.
ESRS E2 covers pollution: emissions to air, water, and soil, and the use and release of substances of concern.
ESRS E3 covers water and marine resources: water consumption, withdrawal, and discharge, and the company’s impacts on aquatic ecosystems.
ESRS E4 covers biodiversity and ecosystems: impacts on habitats, species, and ecosystem services, and the company’s dependencies on natural resources.
ESRS E5 covers resource use and the circular economy: material consumption, waste generation, and how the company manages the end-of-life of its products.

ESRS S1 covers the company’s own workforce: working conditions, equal treatment, and the provision of adequate wages, working time, and health and safety protections for direct employees and non-employee workers.
ESRS S2 covers workers in the value chain: the working conditions and human rights of people employed by the company’s suppliers and downstream business partners.
ESRS S3 covers affected communities: impacts on local communities, indigenous peoples, and communities affected by the company’s operations or supply chain.
ESRS S4 covers consumers and end-users: privacy, product safety, and the accessibility and affordability of the company’s products.

Governance standard

ESRS G1 covers business conduct: anti-corruption, anti-bribery, political engagement, whistleblower protection, and responsible supplier relationships.

The double materiality assessment

Not every ESRS topic is equally relevant to every company. A pharmaceutical company has a materially different sustainability profile from a timber trader or a software firm. The ESRS addresses this through a concept called double materiality, which is one of the most important and most frequently misunderstood aspects of CSRD.

Double materiality requires companies to assess materiality from two directions simultaneously.

Financial materiality asks whether a sustainability issue poses a material risk or opportunity for the company itself: could climate change disrupt the company’s operations or supply chain? Could new regulation affect its cost base? Could changing consumer preferences affect its revenue? This direction looks inward: sustainability as a factor affecting the company’s financial performance.

Impact materiality asks whether the company has material impacts on people or the environment: does its production process generate significant greenhouse gas emissions? Does its supply chain rely on labour practices that violate human rights? Does its land use affect biodiversity? This direction looks outward: the company as a factor affecting the world.

A topic is material under CSRD if it is material from either direction. A topic that is both financially material and impact material is clearly reportable. But a topic that generates significant environmental harm, even if that harm does not currently affect the company’s financial performance, is still material under the impact materiality limb.

This is a significant departure from purely financial definitions of materiality and from how most companies have historically approached sustainability reporting. It means that companies cannot limit their disclosures to sustainability issues that affect their bottom line. They must also disclose impacts on the world that may not have measurable financial consequences for the company itself.

The double materiality assessment is not merely an internal decision-making exercise. It is itself a disclosure requirement. Companies must describe the process they used to identify material topics, the criteria they applied, the stakeholders they consulted, and the conclusions they reached. Auditors assess the quality of this process as part of their assurance engagement.

What the report must contain

A CSRD-compliant sustainability report must be included in the company’s management report, not published as a separate document. This integration with the primary financial report is deliberate: sustainability information is positioned as part of the core company reporting package, not an optional supplement.

The report must cover:

The business model and strategy: How sustainability risks and opportunities affect the company’s strategy and business model, and what resilience the strategy has to those risks.
Targets and progress: Sustainability targets the company has set, including whether they are time-bound and science-based, and progress against those targets in the current period.
The role of the board and management: How sustainability oversight is structured, which board members or committees are responsible, and how sustainability is integrated into senior management incentives.
Material impacts, risks, and opportunities: For each material ESRS topic, the nature of the impact, risk, or opportunity, its actual or potential severity, and what the company is doing about it.
Due diligence processes: How the company identifies, prevents, mitigates, and accounts for actual and potential adverse sustainability impacts in its own operations and its value chain.
Quantitative metrics: The specific metrics required by each material ESRS topic, including emissions data, workforce indicators, biodiversity metrics, and others as applicable.

The report must be filed in a machine-readable format using XBRL tagging aligned with the ESEF taxonomy. This requirement enables regulators, investors, and data providers to extract and compare sustainability data across companies automatically, without manual processing.

Value chain scope and what it means for suppliers

The ESRS requires in-scope companies to report on material sustainability impacts, risks, and opportunities not just in their own operations but across their entire value chain. This includes upstream suppliers, downstream distributors, and end-users.

For a large EU retailer, this means reporting on the working conditions of factory workers in its supplier countries, the deforestation risk associated with agricultural commodities in its food supply chain, and the carbon emissions generated by its logistics providers. None of these parties are themselves subject to CSRD. But the retailer cannot produce a compliant CSRD report without data about them.

This is the mechanism by which CSRD creates obligations for non-EU suppliers who are not directly in scope. A Vietnamese garment manufacturer supplying a large German retailer will receive requests from that retailer for data on its greenhouse gas emissions, its workforce practices, its water consumption, and its waste management. Those requests are not discretionary: they are driven by the retailer’s legal obligation to report on its value chain.

The requests will not always be clearly framed as CSRD data collection. They may arrive as supplier questionnaires, ESG assessment forms from third-party platforms, or contractual requirements attached to new supplier agreements. The underlying driver is the same in each case.

Suppliers who cannot provide the requested data will not necessarily lose contracts immediately. But as CSRD reporting matures and the comparability and assurance requirements intensify, EU buyers will increasingly favour suppliers who can provide reliable sustainability data over those who cannot. The commercial risk of not engaging is real, even if it materialises gradually.

A detailed guide to how CSRD supply chain obligations flow to non-EU suppliers, and what that means in practice, will be published shortly in this series.

Limited assurance and what it requires

One of the most significant differences between CSRD and its predecessor is the requirement for independent assurance. Under the NFRD, external verification of non-financial disclosures was optional and rarely obtained. Under CSRD, limited assurance is mandatory from the first reporting year.

Limited assurance means that an independent auditor reviews the sustainability report and concludes that nothing has come to their attention to suggest the report is not prepared in accordance with the applicable standards. It is less demanding than the reasonable assurance required for financial statements, but it is still a formal engagement with legal consequences for the auditor.

The CSRD anticipates a transition to reasonable assurance over time, once the methodologies for assessing sustainability disclosures have matured. The Commission is required to assess whether to introduce reasonable assurance requirements by 2028 at the latest.

For companies, the assurance requirement has practical consequences beyond simply engaging an auditor. It means that sustainability disclosures must be supportable: backed by documented processes, verifiable data sources, and an audit trail. Claims that cannot be substantiated will not survive the assurance engagement. This pushes sustainability reporting toward the discipline and rigour that financial reporting has long required.

CSRD and the EU Taxonomy

Companies subject to CSRD must also disclose their alignment with the EU Taxonomy Regulation, which defines what counts as a sustainable economic activity. Specifically, they must report what proportion of their revenue, capital expenditure, and operating expenditure relates to Taxonomy-aligned activities.

This disclosure sits within ESRS E1 (climate change) and in the general disclosures under ESRS 2, but the underlying analytical work is substantial. A company must determine which of its economic activities fall within the scope of the Taxonomy, whether those activities meet the technical screening criteria for substantial contribution to a Taxonomy objective, whether they pass the do no significant harm (DNSH) test, and whether the company meets the minimum social safeguards.

For many companies, Taxonomy alignment assessment is difficult in practice because the technical screening criteria are highly specific and the data required to assess them is not always available from internal systems or supply chain partners. This is an area where the gap between the legal requirement and practical implementation remains significant.

The interaction with CSDDD

CSRD and the Corporate Sustainability Due Diligence Directive (CSDDD) are related but distinct obligations. Understanding the difference matters because they require different things.

CSRD is primarily a reporting obligation. It requires companies to disclose what they do, what their impacts are, and what risks and opportunities they face. A company subject only to CSRD must report on its due diligence processes, but the regulation does not itself prescribe what those processes must involve or what outcomes they must achieve.

CSDDD is an operational obligation. It requires large EU companies to actually conduct due diligence: to identify adverse human rights and environmental impacts in their supply chains, take action to prevent and mitigate them, and establish complaints and remediation mechanisms. The outputs of that due diligence will then feed into CSRD disclosures.

For companies subject to both regulations, the two frameworks are complementary. CSDDD defines what due diligence must be done. CSRD defines how it must be reported. But the scope of CSDDD is narrower than CSRD: it applies only to companies above significantly higher employee and turnover thresholds, and its application dates are later. Many companies subject to CSRD are not subject to CSDDD, at least in the early years.

A detailed guide to CSDDD obligations will be published shortly in this series.

What to do with this information

If your company is directly in scope for CSRD, the starting point is determining which ESRS topics are material to your business through a double materiality assessment. That assessment drives everything else: which standards apply, which metrics must be collected, and which value chain data requests are necessary. The assessment should be documented with enough rigour to survive the assurance engagement.

If your company is in the supply chain of an in-scope company but is not itself directly subject to CSRD, the immediate practical step is to understand what data your EU buyers are likely to request. The ESRS S2 standard, covering workers in the value chain, and ESRS E1, covering climate change and Scope 3 emissions, are the most common sources of supply chain data requests. Being in a position to respond to those requests accurately and efficiently is increasingly a condition of being a preferred supplier.

The deadlines are not future planning items. Large EU companies with more than 500 employees have been filing CSRD reports since 2025. Other large companies are filing now. Supply chain data requests are already arriving.

An overview of how CSRD fits within the broader EU sustainability regulatory landscape, including its interaction with EUDR, CBAM, and the EU Taxonomy, is available here: EU sustainability regulation in 2026: an overview of what is now in force.

This article is part of the Verdandi EU sustainability regulation series. Verdandi is Citium’s EU sustainability compliance tracker, currently in development. If you want to be kept informed ahead of launch, get in touch.